21.5. Migrating from NIS to IdM
Migrating from an existing NIS server to Identity Management (IdM) requires the following steps:
21.5.1. Preparing Netgroup Entries in IdM
Before migrating, identify what kind of identities are being managed in the current NIS server:
- User Entries
- Determine what applications are using the user information provided by NIS. While some utilities, such as sudo, require NIS netgroups, several others can use regular UNIX groups.To migrate:
- Create the corresponding user accounts in IdM. See Section 21.5.3.1, “Migrating User Entries”.
- If you additionally require netgroups:
- Add the netgroups. See Section 21.3.1, “Adding a Netgroup”.
- Add the users to the netgroups. See Section 21.5.3.4, “Migrating Netgroup Entries”.
- Host Entries
- When you create a host group in IdM, a corresponding shadow NIS group is automatically created. Do not use the ipa netgroup-* commands on these shadow NIS groups. Use the ipa netgroup-* commands only to manage native netgroups created via the netgroup-add command.
- For a Direct Conversion
- If every user and host entry must use the same name, you can create the entries using the same names in IdM:
- Create an entry for every user referenced in a netgroup.
- Create an entry for every host referenced in a netgroup.
- Create a netgroup with the same name as the original netgroup.
- Add the users and hosts as direct members of the netgroup. If the users and hosts are members of groups or host groups, you can alternatively add these groups to the netgroup.
21.5.2. Enabling the NIS Listener in Identity Management
21.5.3. Exporting and Importing the Existing NIS Data
A NIS server can contain information about users, groups, hosts, netgroups, and automount maps. You can migrate these entry types to IdM.
In the following sections, we export the data from the current NIS server using the ypcat command, and use the output to import the entries to IdM using the corresponding ipa *-add commands.
- Make sure you install the
yp-tools
package, since it provides the ypcat command used in the migration script:[root@nis-server ~]# yum install yp-tools -y
21.5.3.1. Migrating User Entries
The NIS
passwd
map contains information about users, such as names, UIDs, primary group, GECOS, shell, and home directory. Use this data to migrate NIS user accounts to IdM:
- Optional: If you require weak password support, see Section 21.5.4, “Enabling Weak Password Hashing for NIS User Authentication”.
- Create the
/root/nis-users.sh
script with the following content:#!/bin/sh # $1 is the NIS domain, $2 is the NIS master server ypcat -d $1 -h $2 passwd > /dev/shm/nis-map.passwd 2>&1 IFS=$'\n' for line in $(cat /dev/shm/nis-map.passwd) ; do IFS=' ' username=$(echo $line | cut -f1 -d:) # Not collecting encrypted password because we need cleartext password # to create kerberos key uid=$(echo $line | cut -f3 -d:) gid=$(echo $line | cut -f4 -d:) gecos=$(echo $line | cut -f5 -d:) homedir=$(echo $line | cut -f6 -d:) shell=$(echo $line | cut -f7 -d:) # Now create this entry echo passw0rd1 | ipa user-add $username --first=NIS --last=USER \ --password --gidnumber=$gid --uid=$uid --gecos="$gecos" --homedir=$homedir \ --shell=$shell ipa user-show $username done
- Authenticate as the IdM
admin
user:[root@nis-server ~]# kinit admin
- Run the script. For example:
[root@nis-server ~]# sh /root/nis-users.sh nisdomain nis-master.example.com
NoteThis script uses hard-coded values for first name, last name, and sets the password topassw0rd1
. The user must change the temporary password at the next log in.
21.5.3.2. Migrating Group Entries
The NIS
group
map contains information about groups, such as group names, GIDs, or group members. Use this data to migrate NIS groups to IdM:
- Create the
/root/nis-groups.sh
script with the following content:#!/bin/sh # $1 is the NIS domain, $2 is the NIS master server ypcat -d $1 -h $2 group > /dev/shm/nis-map.group 2>&1 IFS=$'\n' for line in $(cat /dev/shm/nis-map.group); do IFS=' ' groupname=$(echo $line | cut -f1 -d:) # Not collecting encrypted password because we need cleartext password # to create kerberos key gid=$(echo $line | cut -f3 -d:) members=$(echo $line | cut -f4 -d:) # Now create this entry ipa group-add $groupname --desc=NIS_GROUP_$groupname --gid=$gid if [ -n "$members" ]; then ipa group-add-member $groupname --users={$members} fi ipa group-show $groupname done
- Authenticate as the IdM
admin
user:[root@nis-server ~]# kinit admin
- Run the script. For example:
[root@nis-server ~]# sh /root/nis-groups.sh nisdomain nis-master.example.com
21.5.3.3. Migrating Host Entries
The NIS
hosts
map contains information about hosts, such as host names and IP addresses. Use this data to migrate NIS host entries to IdM:
- Create the
/root/nis-hosts.sh
script with the following content:#!/bin/sh # $1 is the NIS domain, $2 is the NIS master server ypcat -d $1 -h $2 hosts | egrep -v "localhost|127.0.0.1" > /dev/shm/nis-map.hosts 2>&1 IFS=$'\n' for line in $(cat /dev/shm/nis-map.hosts); do IFS=' ' ipaddress=$(echo $line | awk '{print $1}') hostname=$(echo $line | awk '{print $2}') master=$(ipa env xmlrpc_uri | tr -d '[:space:]' | cut -f3 -d: | cut -f3 -d/) domain=$(ipa env domain | tr -d '[:space:]' | cut -f2 -d:) if [ $(echo $hostname | grep "\." |wc -l) -eq 0 ] ; then hostname=$(echo $hostname.$domain) fi zone=$(echo $hostname | cut -f2- -d.) if [ $(ipa dnszone-show $zone 2>/dev/null | wc -l) -eq 0 ] ; then ipa dnszone-add --name-server=$master --admin-email=root.$master fi ptrzone=$(echo $ipaddress | awk -F. '{print $3 "." $2 "." $1 ".in-addr.arpa."}') if [ $(ipa dnszone-show $ptrzone 2>/dev/null | wc -l) -eq 0 ] ; then ipa dnszone-add $ptrzone --name-server=$master --admin-email=root.$master fi # Now create this entry ipa host-add $hostname --ip-address=$ipaddress ipa host-show $hostname done
- Authenticate as the IdM
admin
user:[root@nis-server ~]# kinit admin
- Run the script. For example:
[root@nis-server ~]# sh /root/nis-hosts.sh nisdomain nis-master.example.com
NoteThis script does not migrate special host configurations, such as aliases.
21.5.3.4. Migrating Netgroup Entries
The NIS
netgroup
map contains information about netgroups. Use this data to migrate NIS netgroups to IdM:
- Create the
/root/nis-netgroups.sh
script with the following content:#!/bin/sh # $1 is the NIS domain, $2 is the NIS master server ypcat -k -d $1 -h $2 netgroup > /dev/shm/nis-map.netgroup 2>&1 IFS=$'\n' for line in $(cat /dev/shm/nis-map.netgroup); do IFS=' ' netgroupname=$(echo $line | awk '{print $1}') triples=$(echo $line | sed "s/^$netgroupname //") echo "ipa netgroup-add $netgroupname --desc=NIS_NG_$netgroupname" if [ $(echo $line | grep "(," | wc -l) -gt 0 ]; then echo "ipa netgroup-mod $netgroupname --hostcat=all" fi if [ $(echo $line | grep ",," | wc -l) -gt 0 ]; then echo "ipa netgroup-mod $netgroupname --usercat=all" fi for triple in $triples; do triple=$(echo $triple | sed -e 's/-//g' -e 's/(//' -e 's/)//') if [ $(echo $triple | grep ",.*," | wc -l) -gt 0 ]; then hostname=$(echo $triple | cut -f1 -d,) username=$(echo $triple | cut -f2 -d,) domain=$(echo $triple | cut -f3 -d,) hosts=""; users=""; doms=""; [ -n "$hostname" ] && hosts="--hosts=$hostname" [ -n "$username" ] && users="--users=$username" [ -n "$domain" ] && doms="--nisdomain=$domain" echo "ipa netgroup-add-member $netgroup $hosts $users $doms" else netgroup=$triple echo "ipa netgroup-add $netgroup --desc=NIS_NG_$netgroup" fi done done
- Authenticate as the IdM
admin
user:[root@nis-server ~]# kinit admin
- Run the script. For example:
[root@nis-server ~]# sh /root/nis-netgroups.sh nisdomain nis-master.example.com
21.5.3.5. Migrating Automount Maps
Automount maps are a series of nested and interrelated entries that define the location (the parent entry), the associated keys, and maps. To migrate NIS automount maps to IdM:
- Create the
/root/nis-automounts.sh
script with the following content:#!/bin/sh # $1 is for the automount entry in ipa ipa automountlocation-add $1 # $2 is the NIS domain, $3 is the NIS master server, $4 is the map name ypcat -k -d $2 -h $3 $4 > /dev/shm/nis-map.$4 2>&1 ipa automountmap-add $1 $4 basedn=$(ipa env basedn | tr -d '[:space:]' | cut -f2 -d:) cat > /tmp/amap.ldif <<EOF dn: nis-domain=$2+nis-map=$4,cn=NIS Server,cn=plugins,cn=config objectClass: extensibleObject nis-domain: $2 nis-map: $4 nis-base: automountmapname=$4,cn=$1,cn=automount,$basedn nis-filter: (objectclass=*) nis-key-format: %{automountKey} nis-value-format: %{automountInformation} EOF ldapadd -x -h $3 -D "cn=Directory Manager" -W -f /tmp/amap.ldif IFS=$'\n' for line in $(cat /dev/shm/nis-map.$4); do IFS=" " key=$(echo "$line" | awk '{print $1}') info=$(echo "$line" | sed -e "s#^$key[ \t]*##") ipa automountkey-add nis $4 --key="$key" --info="$info" done
The script exports the NIS automount information, generates an LDAP Data Interchange Format (LDIF) for the automount location and associated map, and imports the LDIF file into the IdM Directory Server. For further details, see Section 21.4, “Exposing Automount Maps to NIS Clients”. - Authenticate as the IdM
admin
user:[root@nis-server ~]# kinit admin
- Run the script. For example:
[root@nis-server ~]# sh /root/nis-automounts.sh location nisdomain \ nis-master.example.com map_name
21.5.4. Enabling Weak Password Hashing for NIS User Authentication
Using the Directory Server component's default setting, passwords stored in the
userPassword
attribute are hashed using the salted secure hash algorithm (SSHA). If your NIS clients require a weak hashing algorithm for passwords, update the password storage scheme setting.
Enabling a weak password hashing scheme affects only passwords stored in
userPassword
attribute. Note that Kerberos does not use this attribute and therefore Kerberos encryption is not affected by this setting.
For example, to enable
CRYPT
hashed passwords:
[root@server ~]# ldapmodify -D "cn=Directory Manager" -W -p 389 -h ipaserver.example.com -x dn: cn=config changetype: modify replace: passwordStorageScheme passwordStorageScheme: crypt
Note
Because password hashes cannot be decrypted, Directory Server does not convert existing password hashes. The server applies the new password storage only to passwords set after you changed the storage scheme.